Back to home
Security & Trust

Steward holds the most sensitive data a company has. It's built accordingly.

Spend, bank connections, and the general ledger all live here. Below is exactly how we protect them — every item is a control that's live in the product today, described plainly, with nothing we can't back up.

Your data is isolated at the database
Every table is scoped to your organization with Postgres row-level security, and queries fail closed if the tenant context is ever missing. One customer's books are invisible to another at the database layer — not just in application code.
Least-privilege by construction
The application runs as a restricted database role that can only ever see the current tenant; migrations and platform operations use a separate owning role. A bug in app code cannot escape your organization's boundary.
Even our staff can't quietly read your books
Internal support runs on a separate plane with no standing access to your data. Any access is explicit, requires a stated reason, is time-boxed, and is written to the audit log. You can always see who looked and why.
A tamper-evident audit trail
Every action appends to a hash-chained, append-only log. Records can't be edited or deleted through the app, and the chain is independently verifiable — if a single row were altered, verification pinpoints exactly which one.
Encrypted in transit and at rest
All traffic is TLS. The OAuth tokens that connect your bank feeds and accounting system are encrypted at rest with AES-256-GCM, with authenticated encryption so tampering is detected.
We never store card numbers
Steward connects to transaction feeds and your books. Full card numbers (PANs) are never stored — there's nothing there to leak.
Role-based access and scoped guest links
Owner, finance, approver, submitter, and read-only auditor roles gate every action. Email addresses are verified, and guests or contractors submit through single-use, scope-limited links — no account, no license, no standing access.
Built for data residency
Every record carries a region tag — the foundation for keeping a customer's data in a chosen region as we expand.
Compliance, stated honestly

Steward is architected to SOC 2 trust principles, and the controls above are the substance an audit examines. We have not yet completed a SOC 2 audit, so we don't display a badge we don't hold — a Type II audit is on our roadmap as we grow into larger deployments. If your review needs our current security posture in writing, ask and we'll share it.

Your data rights

Your data is yours. You can request a full export of your organization's records, or its deletion, at any time — deletion cascades across every table and is itself audited. Self-serve export and deletion controls are rolling out; until then, contact us and we'll action it promptly.

Security questions or a vulnerability to report?
We take disclosures seriously and respond quickly. Reach out and we'll route you to the right person.
Get in touch →